Criminals increasingly are targeting resource-strapped mid-market companies for their hacks and scams. The view from the security window is growing darker for every enterprise, big, small and in-between but that won't come as a surprise to anyone who pays even the slightest attention to security issues. When have you ever read that the Internet is becoming a more, not less, secure place to do business?

The situation is particularly dire in the mid-market where, according to the CIO Global State of Information Security 2006 survey, "about 43 percent of mid-market companies have annual security budgets below $100,000," which isn't huge, all things considered.

The truth, as evidenced by January's revelation that big-market US retailer TJX was hacked, is that the security situation is dire everywhere. Ironically, the TJX hack is good news. Several Massachusetts banks have been able to link fraudulent credit card purchases directly to the TJX breach - the first time this has happened. Once losses can be linked to specific breaches, lawsuits can be filed claiming damages, especially in the US and once lawsuits are filed, the ROI of investing in security suddenly becomes blindingly obvious.

It's like in the NBA. In order for a team to improve, first it has to get really bad so that it gets a shot at a game-changing draft pick. In order for security to improve, business has to suffer.

Several years ago, CSO Senior Editor Scott Berinato wrote a story in which he suggested that, "the insurance industry in all likelihood will be the engine that drives the technology of security. Software vendors will be forced to fix the holes in their products in order to benefit from lower premiums."

As long as a business feels it's done all it can by advising customers (as TJX did) to check their credit card statements, nothing will change. But a punch in the wallet: that will focus an enterprise's attention.